Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

Handling of unauthenticated entries

0

I have noticed on default/props.conf that you have added the following:

EVAL-user = coalesce(src_user,dest_user,recipient,sender,"unknown")

This has the consequence of having missing user fields be populated with the string unknown instead of being left NULL. The CIM standards are not clear on whether this is acceptable behavior, but I would respectfully like to submit that this is far from ideal.

Think about it - this behavior makes it impossible for code querying those events based on the CIM fields alone to distinguish accesses performed by a user account named unknown from those that were not authenticated at all.